GDPR and Industries: impact on Financial Services
Using transaction information under GDPR
Using customers’ financial information is interesting for both the traditional financial services industry, as well as for newcomers. The General Data Protection Regulation (GDPR) strengthens the existing privacy rules, but also allows organizations to make use of personal data within these constraints.
Annika Sponselee & Bart Witteman - July 5, 2017
You are what you buy (maybe)
Google’s search engine is often characterized as the ideal advertising information gathering machine: Google users type in exactly what they want at that moment. My search for ‘black leather sneakers’ likely means that I’m looking for new shoes. A good opportunity to show me where to get that great pair of new shoes.
Many consumer banks have transaction information available, which provides similar insights – with a small difference. Transaction data doesn’t show the future what I want, but rather the past what I have spent my money on.
In part, this information seems less valuable: an advertiser may not want to know which items I have already purchased. On the other hand, this data may give good insights into my spending patterns and determine what I might want or need next. If I am spending a lot on furniture at a multinational home store, I may also be interested in some paint from a local DIY store in a color to match my new couch.
Monthly GDPR email alert
Receive the latest GDPR articles once a month.Sign-up
Know your customers – and what they want
The interest in this transaction data is large. The second Payment Services Directive (PSD2) will open up this information to service providers (when consumers consent). Startups, tech giants and more traditional financial organizations see this value and are looking to use the data where they can.
Consumers can also get advantages from newly developed services, as long as service providers find a mutual benefit for consumers and themselves. I’m happy to provide my transaction data in order to get offers sent to me, as long as I feel these offers are truly interesting to me instead of seemingly random and intrusive ads. Others may not like these offers – which is of course fine, as long as they are able to make a clear choice.
Providing consumers with this choice will be important. If a business model can’t exist without this data use, at least give me the option not to use your service. The GDPR emphasizes giving the data subject the control and the power to make decisions.
To serve and protect
There are some constraints: I want to know in a fair amount of detail what my data is being used for. I want to have control over when I want the service to stop, and I want to be able to order the service provider to delete my data upon request. I also want to have this information and exercise my rights right now, not by sending a letter through the mail.
In addition: my data should never fall in the wrong hands. Traditional financial institutions have massive security budgets to protect the data concerning a customer’s financials. Newcomers may find this to be more difficult.
Privacy constraints have existed for a long time. The GDPR clarifies many constraints and strengthens consumers’ rights. Its message is clear: you can use personal data, as long as you have included sufficient safeguards to protect consumers’ rights.